Appendix A: Active Directory Management Pack Scripts

The following table summarizes the monitoring scripts that are included with a default Active Directory Management Pack installation. The sections that follow the table describe each script in detail.

Script

Purpose

“Launched by” Processing Rule

Default Frequency

AD CPU Overload

This script provides monitoring of CPU utilization for Active Directory, as represented by LSASS.exe, on each domain controller. Because brief-duration CPU spiking on domain controllers is a common occurrence, this script contains logic to prevent the unwanted and unnecessary over-reporting of CPU bottlenecks. The script achieves this by correlating high CPU utilization with high processor queue lengths, which together provide a good indication of true CPU utilization. In addition, this script prevents the reporting of very brief utilization spikes by averaging performance values over a period of time.

Script - AD CPU Overload

Once per minute

AD Database and Log File

This script helps ensure that every domain controller being monitored has sufficient free disk space for the Active Directory DIT. The script monitors both the size of the Active Directory DIT, as well as the amount of free disk space on the volume on which the DIT is stored. By monitoring both of these conditions, this script helps prevent problems that occur when the DIT grows too quickly (the proliferation of new objects), when programs other than Active Directory are filling up the volume, or when a denial of service on the directory might be occurring.

Script - AD Database and Log File

Every 15 minutes

AD Essential Services

This script monitors the services outside Active Directory that are essential to the proper running of Active Directory. On each domain controller being monitored, this script makes sure that each of the following services is running, and it generates an error alert if the service is not available:

In addition, the script determines the availability of the SYSVOL volume of the domain controller, it and checks that the DC Locator is functioning properly.

Script - AD Essential Services Running

Every 11 minutes

AD General Response

The AD General Response script determines the general responsiveness of Active Directory within a domain by determining the time that is required to complete a search of RootDSE. The script contacts the domain (using a serverless bind) and measures the response time for an Active Directory Service Interfaces (ADSI) bind to the RootDSE object of a domain controller in the domain. The script records this response time in Microsoft Operations Manager 2000 as performance data. Performance rules monitor the response-time data being recorded, and they generate alerts if response times exceed specified thresholds.

Script - AD General Response

Every 5 minutes

AD Global Catalog Search Response

This script monitors the responsiveness of the global catalog to help ensure that directory clients can search for directory objects within a forest in a timely manner.

Script - AD Global Catalog Search Response

Every 5 minutes

AD Lost and Found Object Count

This script monitors the number of Active Directory objects in the Lost and Found container, and it generates an alert when the number of objects in this container exceeds the threshold. The threshold for a warning alert is 10, and the threshold for an error alert is 100.

Script - AD Lost and Found Object Count

Every 2 hours

AD Monitor Trusts

Trust problems in Active Directory can result in many other types of problems, including authentication failures and the inability to access resources. This script enumerates the trusts on each domain controller, queries the status and validates the state of those trusts, and generates alerts if any problems exist. This script uses the WMI TrustMon provider.

Script - AD Monitor Trusts

Every 17 minutes

AD No GC Logon Information

This script applies only to Windows Server 2003 domain controllers, and it monitors problems with NO GC Logon functionality. No GC Logon in Windows Server 2003 allows users to log on to the network, even if a global catalog is not available. This script generates an alert anytime an event associated with No GC Logon occurs, it and collects information that may be useful in troubleshooting those events.

Group Cache Refresh has reached the user limit for this domain controller

and

Group Refresh updates are falling behind

Runs when the following events appear in the Directory Services event log:

NTDS General: 1669

NTDS General: 1670

AD Op Master Response

The AD Op Master Response script monitors Active Directory operations masters. Operations masters are domain controllers that hold one or more of the FSMO roles in Active Directory. These roles are critical to the health and availability of Active Directory. The operations master roles include the following:

PDC emulator operations master

Schema operations master

Domain naming operations master

Infrastructure operations master

RID operations master

This script determines whether the operations masters are responsive. The response time for each role holder is recorded as performance data, and the script generates alerts if the thresholds associated with the script are exceeded.

Script - AD Op Master Response

Every 5 minutes

AD Replication Monitoring

This script injects a small directory change on each domain controller being monitored, and it then monitors replication for failures and latency, based on the replication of the injected changes.

Script - AD Replication Monitoring

Every 1 hour

AD Replication Partner Count

For Active Directory replication to work properly, each domain controller must have an accurate record of the replication topology. This script monitors domain controllers for problems that can adversely affect the replication topology, by counting and tracking over time the number of replication partners a domain controller has and by generating alerts when too many, or too few, replication partners exist.

Script - AD Replication Partner Count

Every 2 hours

AD Replication Partner Op Master Consistency

For Active Directory to work properly, all domain controllers in a domain or forest must all agree on the identity of the domain controllers that hold the operation master roles for their respective domain or forest. This script monitors the consistency of operation masters within a domain or forest.

Script - AD Replication Partner Op Master Consistency

Every 1 hour

AD Server Moved Site

This script monitors domain controllers and generates a message alert when a domain controller has recently moved to a different site. The administrator can then determine if the move was intentional.

Script - AD Server Moved Site

Once per day

For the client-side monitoring scripts in the following table to run, you must manually add one or more computers to the Active Directory Client-Side Monitoring computer group.

AD Client Update DCs

Each computer that is being used for client-side monitoring targets a specific set of domain controllers to monitor, depending on its monitoring configuration. This script is used to update a list of domain controllers being monitored by each of the computers that are being used for client-side monitoring.

Script - AD Client Update DCs

Once per day

AD Client Connectivity

This script determines if the domain controllers being monitored by a client-side monitoring computer are currently available and working, from the perspective of the client. The tests used by the script to make this determination include:

ICMP Ping

Net use (to SYSVOL)

LDAP ping

ADSI binding and searching

Serverless bind

Script - AD Client Connectivity

Every 5 minutes

AD Client Serverless Bind

It is generally recommended that directory clients authenticate and perform directory searches against domain controllers that are located in the same site as the client to reduce WAN traffic and to ensure good response times for the client. For computers that are being used for client-side monitoring, this script determines if the domain controllers that are responsible for the site being monitored by the client are located in the same site as the client. The script achieves this by performing a serverless bind against each of its target domain controllers and by generating an alert when a domain controller is not available, responding too slowly, or located in a different site.

Script - AD Client Serverless Bind

Every 15 minutes

AD Client PDC Response

If the PDC emulator operations master role holder for a forest is not available to a client, clients in that forest cannot log on. For each computer being used for client-side monitoring, this script discovers, pings, and binds to the PDC emulator operations master, and it generates an alert if the ping or bind fails.

Script - AD Client PDC Response

Every 10 minutes

AD CPU Overload

The AD CPU Overload script monitors domain controllers for total CPU utilization and LSASS CPU utilization by sampling a number of performance counters and then averaging samples over a predefined period.

Parameters

This script can be configured using the script parameters in Microsoft Operations Manager 2000. The following table describes the configurable parameters.

Parameter Name

Default Value

Valid Range

What It Does

CPUThreshold

90

(10,100)

Average sampled CPU usage, above which the CPU usage is considered excessive. This parameter is used in conjunction with the QueueLengthThreshold parameter.

QueueLengthThreshold

2

(2,8)

Average sampled Processor Queue Length, above which the CPU usage is considered excessive. This parameter is used in conjunction with the CPUThreshold parameter.

LSASSThreshold

80

(1,100)

Average sampled CPU usage for the LSASS process, above which CPU usage is considered excessive.

NumSamples

10

(1,100)

The number of samples that are averaged before comparing each performance counter with the supplied thresholds. This parameter, along with the frequency with which the script is run, determines the sampling period.

MaxFrequency

15

(1,720)

The minimum number of minutes between messages generated by this script for a given condition, either total CPU usage or LSASS CPU usage. This controls the maximum frequency at which messages are generated by the script.

LogSuccessEvent

False

True/False

Determines whether to log an event indicating that the script successfully finished executing. This can be useful for debugging purposes.

Performance Counters

The AD CPU Overload script samples performance counters using the WMI providers and properties in the following table.

Provider

Instance

Counter

Win32_PerfRawData_PerfOS_Processor

_Total

TimeStamp_Sys100NS

Win32_PerfRawData_PerfOS_Processor

_Total

PercentProcessorTime

Win32_PerfRawData_PerfOS_System

NA

ProcessorQueueLength

Win32_PerfRawData_PerfProc_Process

LSASS

Timestamp_Sys100NS

Win32_PerfRawData_PerfProc_Process

LSASS

PercentProcessorTime

The PercentProcessorTime and TimeStamp_Sys100NS counters determine the average CPU usage since the previous sample, for either the entire computer or for the LSASS process.

The PercentProcessorTime counters represent the number of processor ticks on nonidle threads (Total) or on an LSASS thread (LSASS). To determine the actual PercentProcessorTime over a specific period, a time stamp must be recorded at the start and end of the period, along with the tick count at each end of the period. Using these values, the PercentProcessorTime can be computed as:

The script stores the samples in memory, the length of which is defined by the NumSamples script parameter. To calculate the average for the last NumSamples samples, the script uses the first values and last values that are stored in memory with this formula. For this reason, if multiple event rules run this script, the script will not function correctly. In addition, if the OnePoint service restarts, the data in memory is lost, and the script must start collecting data from scratch.

Note: The PercentProcessorTime counter is not normalized. That is, it represents the amount of CPU time that is used across all CPUs in the system. All thresholds, as well as all other CPU counters, are normalized. Therefore, before this property is compared to thresholds, it is normalized using the number of CPUs that are defined in the system. The number of CPUs in the system is read from the registry key HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Environment\NUMBER_OF_PROCESSORS.

How the Script Works

Initially, the AD CPU Overload script checks all parameters for a valid value, based on the associated valid range. If a parameter is outside its valid range, the script sets the parameter to the default value, and an event is created that identifies the problem to the user. The performance counters are then sampled and stored in the buffer. When an alert occurs within MaxFrequency minutes of the previous alert, the script exits immediately, without doing anything else.

The samples in the circular buffer are validated and then averaged. (The buffer must be full before averages are calculated.) These averages are compared against the user-defined thresholds: CPUThreshold, QueueLengthThreshold, and LSASSThreshold. If both CPUThreshold and QueueLengthThreshold are exceeded by the averages, the script generates an event. The details that are stored in the event are described below.

If the LSASSThreshold threshold is exceeded, an event is generated that indicates the average CPU usage by LSASS over the sampling period.

Events

The CPU Overloaded event is generated when both the CPUThreshold and the QueueLengthThreshold thresholds are exceeded. The event always indicates the threshold values and the current averages.

The script also attempts to indicate the most active processes, using the following algorithm:

Before the event is created, the script stores the value of the PercentProcessorTime and TimeStamp_Sys100NS properties from each instance of the Win32_PerfRawData_PerfProc_Process WMI object in the system.

The script then sleeps for 10,000 milliseconds (10 seconds).

For each instance of the Win32_PerfRawData_PerfProc_Process WMI object in the system that exists after the 10-second wait, the script records the current values of the two properties mentioned above, and from these four counters it calculates the CPU usage of each process.

Any processes that exceed 10-percent CPU usage over the 10-second period are appended to the end of the event message, along with the number of processes that are running at the end of the 10-second period. If no processes exceed 10-percent CPU usage, the number of processes is not appended to the event message. This indicates that many processes are running, but none are using more than 10-percent CPU during the sampling period. For instance, if a CPU utilization of 100 percent results from 20 processes, each using 5-percent CPU, an event is created without any processes being appended to the event message.

This script generates the events in the following table.

Event Number

Purpose

20066

An invalid parameter was defined. The event describes the invalid parameter and how to correct it.

21000

An error was encountered during execution of the script that the script does not specifically handle. These include errors that are returned by the WMI provider, errors when binding to RootDSE, and so on.

The error message describes the operation that caused the error, along with the error number and, if possible, a description of the error.

20070

The CPU overloaded. This event is described in the “Events” section above.

20071

This is the LSASS process high-CPU-usage event. This event indicates that the average LSASS process CPU usage has exceeded the LSASSThreshold threshold over the sampling period. The event message describes the threshold and the current average value.

20099

This event is logged to indicate that the script successfully completed running. This event is only logged when the LogSuccessEvent parameter is True.

20002

This event is logged to indicate that the script was not run by an event processing rule and that the script will not execute.

Rules

The AD CPU Overload script generates utilization alerts using the processing rules in the following table.

Rule

Description

CPU is overloaded

Generates a Warning alert when event ID 20070 occurs. Alert suppression is configured on Source Name, Event Number, Computer, and Logging Domain. No responses are run with respect to this rule.

The LSASS process is using a high percentage of available CPU time

Generates a Warning alert when event ID 20071 occurs. Alert suppression is configured on Source Name, Event Number, Computer, and Logging Domain. No responses are run with respect to this rule.

AD Database and Log File

The AD Database and Log File script monitors database size and log file size and available free space on the associated disk volumes. By default, the script runs every 15 minutes, and it calls on the OOMADs COM object to obtain data.

For this script to run successfully, the account under which the OnePoint agent is running must have access to the registry to read the following registry keys:

This script can be configured using the script parameters in Microsoft Operations Manager 2000. The following table describes the configurable parameters.

Parameter Name

Default Value

Valid Range

What it does

LogSuccessEvent

False

True/False

Determines whether to log an event indicating that the script successfully finished executing. This parameter can be useful for debugging purposes.

How the Script Works

The script first calls OOMADs.GetDatabaseInfo. If that call succeeds, the script stores the returned values for drive free space and database size as performance data. The script then calls OOMADs.GetLogFileInfo. If that call succeeds, the script stores the returned values for drive free space and database log size as performance data. If both calls succeed, the script attempts to determine if a significant decrease has occurred in the amount of free space on either drive, and, if possible, it identifies the cause of the reduction of free space.

To make this determination, the script records the following data in a varset:

DIT Size

Log Size

Free DB Space

Free Log Space

SYSVOL Size

Last Execution Time

After the two calls to OOMADs.GetDatabaseInfo and OOMADs.GetLogFileInfo, the previously stored values are read from the varset, and the new values are written to the varset, with the older values stored in local variables.

Database and Log File Growth

When a domain controller is not in its first replication cycle, the script performs a test to determine whether excessive growth in either the database or the log files is occurring.

Note: Immediately after a domain controller is newly promoted, an initial, complete replication cycle must occur before the domain controller begins advertising its services on the network. During this initial replication cycle, the database and log file sizes are expected to grow significantly; this growth is not reported by the script as an error. However, for a new domain controller, the script still reports any low-disk-space conditions.

To determine whether the domain controller is in its initial replication cycle, an attempt is made to read the replUpToDateVector attribute on the LDAP://RootDSE object of the local computer. If the attribute exists, the domain controller has already completed its first replication cycle.

A comparison of the current and previous values is used to determine whether the database or log has grown more than 20 percent since the last running of the script. If excessive growth has occurred, an event is generated that indicates the amount of growth and the time difference in minutes between the current and previous measurements.

Note: The 20-percent value is fixed, and it cannot be configured by the user.

Free Space

Required Free Space

The logical drive that holds the database file requires the greater of 500,000 kilobytes (KB) or 20 percent of the current database size to be available.

The logical drive that holds the log file requires the greater of 200,000 KB or 5 percent of the current database size to be available.

Free-Space Algorithm

This script always performs the free-disk-space check, regardless of the state of the initial replication cycle.

First, the script determines whether the database and log files reside on the same logical drive. The script makes this determination by comparing the first two characters of the file path for both the database and the log files. (If one path uses a UNC path name, and the other path uses a drive\directory path name, the check fails.)

If both files reside on the same drive, the amount of free space that is required on the database drive is added to the amount of free space on the log drive.

The required amount of free space is then checked against the available free space. If the required free space is greater than the available free space, an event is generated. The event contains the current free space on the drive, the calculated required free space on the drive, and a reason for the change in free space, if available.

Reason for the Change in Free Space

The reason for the change in free space is an attempt by the script to describe the cause of the reduction in available free space on the database drive.

To determine a reason for the change in drive space, the script obtains the current and previous values of the following components, if the respective components reside on the drive:

SYSVOL directory (and subdirectories)

DIT File

Log File

If any of these components have grown in size significantly since the previous running of the script, the script indicates this fact as the reason for the reduction in free space on the drive.

Note: Because of the cost involved in determining the size of the SYSVOL directory, determination of the space used by the SYSVOL is performed less frequently than the other file size tests under normal operation. This frequency is hard-coded to 6, but it adjusts upward automatically if a low-disk-space condition is detected.

Events

This script generates the events in the following table.

Event Number

Purpose

20066

An invalid parameter was defined. The event describes the invalid parameter and how to correct it.

21000

An error was encountered during execution of the script that the script does not specifically handle. These include errors returned by the WMI provider, errors when binding to the RootDSE, and so on.

The error message describes the operation that caused the error, along with the error number and, if possible, a description of the error.

20023

An error occurred while obtaining information about the database.

20024

An error occurred while obtaining information about the log file.

20333

Space available warning. This indicates that one of the drives that either the DIT or log files are on has a low-space condition.

20334

DIT Growth Warning. This indicates that the DIT has grown quickly, unexpectedly. This should be investigated.

20335

Log File Growth Warning. This indicates that the Log File has grown quickly, unexpectedly. This should be investigated.

20099

This event is logged to indicate that the script successfully completed running. It is only logged when the LogSuccessEvent parameter is True.

20002

This event is logged to indicate that the script was not run by an event processing rule. The script will not execute.

Rules

The AD Database and Log File script generates alerts using the processing rule in the following table.

Rule

Description

Database and Log File Drive Space - Error

This rule generates an error message from event 20333. The messages are suppressed on Event Number, Source Name, and Computer.

AD Essential Services

The AD Essential Services script monitors the following five services that are essential to Active Directory:

FRS

Intersite Messaging (required on Windows 2000 domain controllers)

NetLogon

KDC

W32Time

In addition, this script determines the availability of the following:

The SYSVOL share

The DC Locator service

The AD Essential Services script runs every 11 minutes by default. The script uses an 11-minute interval, rather than a 5-minute interval, to avoid an excessive number of monitoring scripts running at 5-minute intervals.

Parameters

This script can be configured using the script parameter in the following table.

Parameter Name

Default Value

Valid Range

What it does

LogSuccessEvent

False

True/False

Determines whether the script logs an event indicating successful completion, which can be useful for debugging purposes.

How the Script Works

This script checks the status of the essential Active Directory services previously mentioned. If one of the services is not running, or if the script cannot determine the status of a service, the script generates an event indicating the current state of the service.

If the script finds a service that is not running, the script records the service status in a Microsoft Operations Manager 2000 variable. If the service is running, any previous value in the variable is erased, and an informational event is generated indicating that the service has resumed running.

After the status of the services has been checked, the script attempts to map a network drive using the path \127.0.0.1\SYSVOL, which represents the SYSVOL directory on the domain controller. If the attempt to map a network drive fails, an event is generated indicating the error that is returned from the attempt. In addition, a MOM variable is set indicating that a failure has occurred.

If the attempt to map a network drive succeeds, the mapped drive is removed. In addition, if the MOM variable indicates that a previous failure has occurred, the variable is cleared, and an informational event is generated indicating that the SYSVOL directory is now available.

The script also determines whether the domain controller has been running for more than 20 minutes, by sampling the TimeStamp_Sys100NS counter on the Win32_PerfRawData_PerfOS_System WMI object.

If the NetLogon service is running, and if the system has been running for more than 20 minutes, the domain controller locator is checked by calling GetAnyDCName on an instance of the ADSystemInfo object, which indirectly calls the DsGetDCName application programming interface (API). The name that is returned is compared with the name of the local domain controller. If the names do not match, the script generates an error message indicating that the domain controller is not advertising. In addition, a MOM variable is set indicating that a failure has occurred. If the names match, and if a MOM variable was previously set, the variable is cleared, and an event is generated indicating that the DC Locator has resumed working.

Events

This script generates the events in the following table.

Event Number

Purpose

21000

An error was encountered during execution of the script that the script does not specifically handle. Such errors include errors that are returned by the WMI provider, errors in binding to the RootDSE, and other errors.

The error message should describe the operation that caused the error, along with the error number and, if possible, a description of the error.

38901

When this event is reported as an Error, FRS is not running. When this event is reported as Information, FRS has resumed running.

38902

When this event is reported as an Error, the NetLogon service is not running. When this event is reported as Information, the NetLogon service has resumed running.

38903

When this event is reported as an Error, KDC is not running. When this event is reported as Information, KDC has resumed running.

38904

If this event is reported as an Error, the W32Time service is not running. If this event is reported as Information, the W32Time service has resumed running.

38905

If this event is reported as an Error, the Intersite Messaging service is not running. If this event is reported as Information, the Intersite Messaging service has resumed running.

38906

Mapping the network drive \\127.0.0.1\SYSVOL failed. The error is included as part of the event description.

38907

When this event occurs, domain controller location failed. The local domain controller name was not returned from the call to GetAnydDCName. The local domain controller name and the name that is returned from GetAnyDCName are included as part of the event description.

38910

This event indicates that the script completed successfully. The event is only logged when the LogSuccessEvent parameter is True.

20002

This event is logged to indicate that the script was not run by a MOM event processing rule, and therefore it will not run.

Rules

The AD Essential Services script generates alerts through the processing rules in the following table.

Rule

Description

AD Essential Services Running Consolidation Rule

This rule consolidates all events generated by the script that match the following criteria: Event Number; Event Type (Information, Warning, Error, and others); Source Name; Agent; and Source Domain. Events are consolidated over a 3,600-second (1-hour) period.

Cannot connect to local SYSVOL share

This rule generates an Error alert when event 38906 occurs. The alert is suppressed on the following attributes: Source Name, Event Number, and Computer.

File Replication Service has resumed running

This rule generates an Information alert when event 38901 of the severity level Information occurs. The alert is suppressed on the following attributes: Alert Description, Severity, Source Name, Event Number, Computer, and Logging Domain.

File Replication Service is not running

This rule generates an Error alert when event 38901 of the severity level Error occurs. The alert is suppressed on the following attributes: Alert Description, Source Name, Event Number, Computer, and Logging Domain.

Intersite Messaging Service has resumed running

This rule generates an Information alert when event 38905 of the severity level Information occurs. The alert is suppressed on the following attributes: Alert Description, Severity, Source Name, Event Number, Computer, and Logging Domain.

Intersite Messaging Service is not running

This rule generates an Error alert when event 38905 of the severity level Error occurs. The alert is suppressed on the following attributes: Alert Description, Source Name, Event Number, Computer, and Logging Domain.

Kerberos Key Distribution Center Service (KDC) has resumed running

This rule generates an Information alert when event 38903 of the severity level Information occurs. The alert is suppressed on the following attributes: Alert Description, Severity, Source Name, Event Number, Computer, and Logging Domain.

Kerberos Key Distribution Center Service (KDC) is not running

This rule generates an Error alert when event 38903 of the severity level Error occurs. The alert is suppressed on the following attributes: Alert Description, Source Name, Event Number, Computer, and Logging Domain.

NetLogon Service has resumed running

This rule generates an Information alert when event 38902 of the severity level Information occurs. The alert is suppressed on the following attributes: Alert Description, Severity, Source Name, Event Number, Computer, and Logging Domain.

NetLogon Service is not running

This rule generates an Error alert when event 38902 of the severity level Error occurs. The alert is suppressed on the following attributes: Alert Description, Source Name, Event Number, Computer, and Logging Domain.

The domain controller is not advertising. Clients will not be able to locate this domain controller

This rule generates an Error alert when event 38907 occurs. The alert is suppressed on the following attributes: Source Name, Event Number, and Computer.

Windows Time Service has resumed running

This rule generates an Information alert when event 38904 of the severity level Information occurs. The alert is suppressed on the following attributes: Alert Description, Severity, Source Name, Event Number, Computer, and Logging Domain.

Windows Time Service is not running

This rule generates an Error alert when event 38904 of the severity level Error occurs. The alert is suppressed on the following attributes: Alert Description, Source Name, Event Number, Computer, and Logging Domain.

AD General Response

The AD General Response script determines the general responsiveness of Active Directory within a domain by determining the time that is required to complete a search of RootDSE. The script contacts a domain controller in the domain (using a serverless bind) and measures the response time for an ADSI bind to the RootDSE object on the domain controller. The script records this response time in Microsoft Operations Manager 2000 as performance data. Performance rules monitor the response time data being recorded, and they generate alerts if response times exceed specified thresholds. This script runs every 5 minutes by default.

Parameters

This script accepts two parameters, as described in the following table. If FailureThreshold falls outside the valid range, the script resets the value to the default, and it generates an event indicating the invalid configuration.

Parameter Name

Default Value

Valid Range

What it does

FailureThreshold

4

(1,20)

The number of consecutive failures that are required before an alert is generated.

LogSuccessEvent

False

True/False

Determines whether to log an event indicating the script finished successfully, which can be useful for debugging purposes.

How the Script Works

This script performs a serverless ADSI bind to RootDSE. If the bind fails, the script generates an event indicating the failure, and it increments two counters. The first counter indicates the number of consecutive failures. The second counter indicates the number of failures per day. If the number of consecutive failures reaches the value of FailureThreshold, an event is generated containing the reason for each of the consecutive failures.

If the bind succeeds, the first counter (for consecutive failures) is reset to 0, and performance data is generated. The performance data (measured in seconds) is stored in MOM in the ActiveDirectoryMP/Active Directory Last Bind performance counter.

At the end of each day, if any failures have occurred, an event is generated indicating the total number of failures for the day. This practice allows the tracking of intermittent problems that do not cause excessive consecutive failures to occur but that may cause an unacceptable number of failures over a given amount of time.

Events

The AD General Response script generates the events in the following table.

Event Number

Purpose

20066

An invalid parameter was defined. The event describes the invalid parameter and how to correct it.

21000

An error was encountered during execution of the script that the script does not specifically handle. Such errors include errors returned by the WMI provider, errors in binding to RootDSE, and other errors.

The error message should describe the operation that caused the error, along with the error number and, if possible, a description of the error.

20025

This event is logged to indicate that the script completed successfully, and it is logged only when the LogSuccessEvent parameter is set to True.

20002

This event is logged to indicate that the script was not run by an event processing rule, and therefore it will not run.

Rules

The rules in the following table are associated with this script.

Rule

Description

Active Directory Last Bind - Critical Error:

When the average of the last five samples of the specified counter is greater than 30 seconds, a Critical alert is generated. The alert indicates the average over the last five samples. This alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

Active Directory Last Bind - Error:

When the average of the last five samples of the specified counter is greater than 15 seconds, an Error alert is generated. The alert indicates the average over the last five samples. This alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

Active Directory Last Bind - Warning:

When the average of the last five samples of the specified counter is greater than 5 seconds, an Information alert is generated. The alert indicates the average over the last five samples. This alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

AD Global Catalog Search Response

The AD Global Catalog Search Response script searches a global catalog and measures search response time. The script can be run only by an event processing rule, and it can be run only on a domain controller.

Parameters

This script accepts the parameters that are described in the following table. When FailureThreshold falls outside the valid range, the script resets the value to the default value and generates an event. The script does not validate the query that is provided in Query, but an invalid search results in an event indicating the failure.

Parameter Name

Default Value

Valid Range

What It Does

FailureThreshold

4

(1,8)

The number of consecutive failures required before an alert is generated.

Query

(objectCategory=DMD)

Any valid LDAP filter.

The query that is run against the global catalog.

LogSuccessEvent

False

True/False

Determines whether to log an event indicating that the script finished successfully, which can be useful for debugging purposes.

Note: The default value of the Query parameter has been carefully determined, based on the need for a reliably successful query (that is, at least one object is always returned by the query) that also has a low performance impact (that is, only a small number of objects are returned by the query). If you decide to change the default value of Query for any reason, it is recommended that you choose the new value carefully.

How the Script Works

The script creates an instance of the OOMADs COM object and calls the OOMADs.SearchGlobalCatalog method, passing the script parameter Query into the method call and executing the search on the nearest global catalog. The script then counts the number of results that are returned by the search.

If the call to OOMADs.SearchGlobalCatalog fails, the script generates an event indicating the error and increments a consecutive errors counter. If the consecutive errors counter equals the FailureThreshold script parameter, the script generates an alert event that contains the error descriptions for the previous consecutive errors.

If the call to OOMADs.SearchGlobalCatalog succeeds, and if the consecutive errors counter is greater than the FailureThreshold script parameter, the script generates an event indicating that the global catalog search has resumed after a certain number of consecutive failures, and it causes a Success alert to be generated in Microsoft Operations Manager 2000. Finally, the consecutive failures count is reset to 0.

When it completes successfully, the script generates performance data and stores it in Microsoft Operations Manager 2000. The data, which is stored in ActiveDirectoryMP/Global Catalog Search Time, represents the length of time (in milliseconds) that is required to complete the search on the global catalog.

Events

This script generates the events in the following table.

Event Number

Purpose

21026

This event indicates the number of consecutive failures that occurred during the script. The event includes the event descriptions of the consecutive failures, along with the times at which the failures occurred. This event serves as a summary of consecutive 21027 events.

21027

This event indicates that a failure occurred during the running of the script. The event includes the error description and the operation that the script was performing when the error occurred. One event is generated per failure.

20066

This event indicates that an invalid parameter was defined. The event describes the invalid parameter and the proper corrective action.

21000

The script encountered an error that the script does not specifically handle. Such errors include errors that are returned by the WMI provider, errors in binding to the RootDSE, and so on.

The error message should describe the operation that caused the error, along with the error number and, if possible, a description of the error.

20099

This event is logged to indicate that the script completed successfully, and it is only logged when the LogSuccessEvent parameter is True.

20002

This event is logged to indicate that the script was not run by an event processing rule, and therefore it will not run.

Rules

This script generates global catalog response alerts through the processing rules in the following table.

Rule

Description

Global Catalog Search Time - Critical Error:

This rule generates a Critical Error alert when the average value of the ActiveDirectoryMP/Global Catalog Search Time counter exceeds 30,000 over 5 samples. The alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

Global Catalog Search Time - Error:

This rule generates an Error alert when the average value of the ActiveDirectoryMP/Global Catalog Search Time counter exceeds 15,000 over 5 samples. The alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

Global Catalog Search Time - Warning:

This rule generates a Warning alert when the average value of the ActiveDirectoryMP/Global Catalog Search Time counter exceeds 5,000 over 5 samples. The alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

AD Lost and Found Object Count

The Lost and Found container in Active Directory contains objects that have been orphaned. Administrators should examine each object in the Lost and Found container to determine whether to delete the object or move it to another container.

Note: Orphaned objects are generated as follows. Assume that two domain controllers (DC1 and DC2) exist, each with a replicated copy of a given container. On DC1, a child is created in the container, while on DC2 (before replication can happen) the container is deleted. When DC1 replicates changes to DC2, the child object discovers it has no parent container available; therefore, DC2 adds the child to the Lost and Found container.

The AD Lost and Found Object Count script counts the number of objects in the Lost and Found container on the local domain controller and reports the information as performance data.

Parameters

This script accepts the parameters in the following table.

Parameter Name

Default Value

Valid Range

What It Does

LogSuccessEvent

False

True/False

Determines whether to log an event indicating that the script successfully finished executing. This can be useful for debugging purposes.

How the Script Works

This script creates an instance of the OOMADs COM object, sets the Server property to the local computer, and calls the OOMADs.BindLostFoundContainer method to bind to the Lost and Found container. After this bind, the script iterates and counts the objects in the container. If the call to OOMADs.BindLostFoundContainer fails, an event is generated indicating the nature of the error.

If the call to OOMADs.BindLostFoundContainer succeeds, the script writes performance data to Microsoft Operations Manager 2000 indicating the number of objects in the lost and found container.

If LogSuccessEvent equals True, the script generates an event indicating that the script completed successfully, indicating the time necessary to complete the run and the number of items in the Lost and Found container.

Events

This script generates the events in the following table.

Event Number

Purpose

21000

An error was encountered during execution of the script that the script does not specifically handle. Such errors include errors that are returned by the WMI provider, errors in binding to the RootDSE, and other errors.

The error message should describe the operation that caused the error, along with the error number and, if possible, a description of the error.

20028

This event is logged to indicate that the script successfully completed execution. It is only logged when the LogSuccessEvent parameter is True. It includes the time the script took to run and the number of items in the Lost and Found container.

20002

This event is logged to indicate that the script was not run by an event processing rule. The script will not execute.

Rules

This script generates alerts through the threshold rules in the following table.

Rule

Description

Active Directory Lost Objects - Error

Generates an Error alert when the value of the ActiveDirectoryMP\Active Directory Lost Objects MOM performance counter exceeds 100. The alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

Active Directory Lost Objects - Warning

This rule generates a Warning alert when the value of the ActiveDirectoryMP\Active Directory Lost Objects MOM performance counter exceeds 10. The alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

AD Monitor Trusts

TrustMon, which is included on Windows Server 2003 domain controllers, is the WMI trust monitoring provider. The AD Monitor Trusts script uses TrustMon to enumerate the trusts on the local domain controller, and it generates alerts if any problems are found. (Currently, the TrustMon provider has not been validated for Windows 2000.)

Parameters

This script accepts the parameter in the following table.

Parameter Name

Default Value

Valid Range

What It Does

LogSuccessEvent

False

True/False

Determines whether to log an event indicating that the script successfully finished executing. This can be useful for debugging purposes.

How the Script Works

The script configures TrustMon WMI provider to return all trusts, and then it queries for all instances of the Microsoft_DomainTrustStatus object in the \root\MicrosoftActiveDirectory WMI namespace.

For each object that is returned; if the TrustType property of the object is not Downlevel or (the other options are Kerberos Realm and DCE, which cannot be monitored effectively by TrustMon), the trust is ignored.

If the TrustType of the object indicates that it can be monitored, the TrustStatus property of the object is checked. If TrustStatus is not 0, it indicates that the trust is in an error state and that the trust and its TrustStatusString (a textual description of the current state of the trust) are formatted and added to the TrustErrors string.

After all the Microsoft_DomainTrustStatus objects have been processed, the local domain is obtained from the \root\MicrosoftActiveDirectory:Microsoft_LocalDomainInfo object.

If the TrustErrors string has data in it, an event is generated indicating the local domain and the trusts in error states, including the reason for each error.

If LogSuccessEvent is True, the script generates an event indicating that the script completed successfully and indicating how long it took to run.

Events

This script generates the events in the following table.

Event Number

Purpose

20082

This event details all the trusts that cannot be monitored because they are not Windows trusts. (The code to generate this event is currently commented out, as it has no perceived value.)

20083

This event details each trust that is in an error state. It includes the identity of each trust, the domain that the trust connects to, and the error description.

21000

An error was encountered during execution of the script that the script does not specifically handle. Such errors include errors that are returned by the WMI provider, errors in binding to the RootDSE, and other errors.

The error message should describe the operation that caused the error, along with the error number and, if possible, a description of the error.

20099

This event is logged to indicate that the script successfully completed running. It is only logged when the LogSuccessEvent parameter is True.

20002

This event is logged to indicate that the script was not run by an event processing rule. The script will not execute.

Rules

This script generates alerts through the rule in the following table.

Rule

Description

A Problem Has Been Detected with the Trust Relationship Between Two Domains

Generates an Error alert whenever event 20083 is created by the AD Monitor Trusts script. The alerts are suppressed on the following attributes: Alert Description, Source Name, Event Number, and Logging Domain. (Multiple events from different domain controllers within the same domain with the same description are suppressed.)

AD No GC Logon Information

No GC Logon is a feature of the Windows 2003 Server family. The AD No GC Logon script is run in response to a No GC Logon event. The AD No GC Logon script collects data that may be useful to an administrator in diagnosing an error that is generated when a problem occurs with the No GC Logon functionality in Windows Server 2003.

Parameters

This script accepts the parameters in the following table.

Parameter Name

Default Value

Valid Range

What It Does

LogSuccessEvent

False

True/False

Determines whether to log an event indicating that the script successfully finished executing. This can be useful for debugging purposes.

How the Script Works

The AD No GC Logon script collects information that may be helpful to an administrator when an event that is relevant to No GC Logon occurs.

This script reads the following registry keys, ignoring any errors that occur during the process:

After each key is read, its value (or values, if applicable) are added to a string that is used to collect No GC Logon data.

Two searches are performed against the local computer. The search filters are as follows:

(msDS-Site-Affinity=*)

(&(msDS-Site-Affinity=*)(msDS-Cached-Membership=*)(msDS-Cached-Membership-Time-Stamp< Time )) where Time is the current time plus the number of minutes defined by the registry key value HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Cached Membership Staleness (minutes).

The first search counts the number of objects with site affinity to the local site. The second search counts the number of objects with site affinity to this site and that have expired cache memberships.

All of the data that is collected from the registry and the two searches is formatted into a string, along with descriptions of what each value means, and it is used as the event description for event 20090.

Events

This script generates the events in the following table.

Event Number

Purpose

20090

This event contains details of all the data that is collected by the AD No GC Logon script. This information may be useful in diagnosing and fixing errors in No GC Logon.

21000

An error was encountered during execution of the script that the script does not specifically handle. Such errors include errors that are returned by the WMI provider, errors in binding to the RootDSE, and other errors.

The error message should describe the operation that caused the error, along with the error number and, if possible, a description of the error.

20099

This event is logged to indicate that the script successfully completed running. It is only logged when the LogSuccessEvent parameter is True.

20002

This event is logged to indicate that the script was not run by an event processing rule. The script will not execute.

Rules

This script generates alerts through the processing rule in the following table.

The AD Op Master Response script monitors Active Directory operations masters. Operations masters are domain controllers that hold one or more of the flexible single master operations (FSMO) roles in Active Directory. These roles are critical to the health and availability of Active Directory. The operations master roles include the following:

Schema operations master

Domain naming operations master

Infrastructure operations master

RID operations master

PDC emulator operations master

This script runs every five minutes to determine whether the operations masters are responsive. The response time for each role holder is recorded as performance data.

Parameters

The script parameters in the following table control threshold limits for alerts that are generated by this script.

Parameter Name

Default Value

Valid Range

What It Does

FailureThreshold

4

(1,20)

The number of consecutive failures for a specific test that must occur before an alert is generated.

SuccessCount

3

(1,48)

The number of times a particular test is skipped, following successful completion of that test. This parameter does not affect the testing of the PDC emulator operations master, which is tested each time that the script runs. The PDC emulator operations master must be available at all times for the domain to remain healthy.

LogSuccessEvent

False

True/False

Determines whether to log an event indicating that the script finished successfully, which can be useful for debugging purposes.

When this script runs, it validates the SuccessCount and FailureThreshold parameters. If either of these parameters is outside the valid range, the parameter is set to the default value, and an event is generated indicating which parameter was invalid.

How the Script Works

For each operations master, this script determines when that operations master was last successfully tested. If the number of script runs since the last successful test is greater than or equal to the SuccessCount parameter, the test is performed again (with the exception of the PDC emulator master, which is tested during each script run). An operations master is also tested if the previous test of the same operations master failed or if the operations master has not been tested since the OnePoint service started.

If the script tests an operations master and the test fails, the script generates an event and increments a counter that is associated with the domain controller being tested. If the counter equals the FailureThreshold parameter, the script generates another event, and it generates a Warning alert indicating that multiple consecutive failures have occurred.

When the script tests an operations master and the test completes successfully, the failure counter for that domain controller is reset to 0, and a success event is generated. The script also generates an Information alert.

Testing an Operations Master

For each operations master role, this script determines the domain controller that holds the role by calling the appropriate method on the OOMADs COM object. Internally, the COM object determines the role holder, as described in article 235617, “How to Find the FSMO Role Owners Using ADSI and WSH” in the Microsoft Knowledge Base.

Before performing any tests, the script determines the IP address of the domain controller. If this test fails, no further tests are performed. Using the IP address, the script performs a ping. Following a successful ping, the script performs a bind to the RootDSE object on the domain controller through ADSI. If the ping fails, the script tries once more, following a short (100-millisecond) delay. Similarly, if the bind fails, is the script also tries again after a 100-millisecond delay. If either of these tests fails on the second attempt, the script considers the test of that operations master to have failed.

When the test succeeds, the script records the response time of the operations master as performance data. The script records the ping response time as ActiveDirectoryMP:Op MasterXXXXLast Ping, where XXXX represents the operations master (PDC emulator, schema, domain naming, and so on). The script records the bind response time as ActiveDirectoryMP:Op MasterXXXXLast Bind where XXXX represents the operations master (PDC emulator, schema, domain naming, and so on).

Information Gathering in the Event of a Failure

If the ping fails, the script discovers the DNS servers that are in use by the domain controller by using instances of the WMI Win32_NetworkAdapterConfiguration class and by using the default gateway. After obtaining the default gateway, the script attempts to ping the gateway.

The script generates an event that includes the DNS servers that are configured for the computer, the IP address of the default gateway, and whether the default gateway is reachable. The error number and the description of the error that occurs during the tests (if available) are also included in the event description.

Events

This script generates the events in the following table.

Event Number

Purpose

20011

(Warning) Consecutive errors were encountered in contacting the Pdomain controller emulator. The error descriptions are included in the event description.

(Information) The tests against the Pdomain controller emulator have succeeded following consecutive failures.

(Both of these events cause alerts to be generated.)

20012

An error was encountered in contacting the Pdomain controller emulator. (This event does not cause an alert to be generated.)

20003

(Warning) Consecutive errors were encountered in contacting the domain naming operations master. The error descriptions are included in the event description.

(Information) The tests against the domain naming operations master have succeeded following consecutive failures.

(Both of these events cause alerts to be generated.)

20004

An error was encountered in contacting the domain naming operations master. (This event does not cause an alert to be generated.)

20007

(Warning) Consecutive errors were encountered in contacting the infrastructure operations master. The error descriptions are included in the event description.

(Information) The tests against the infrastructure operations master have succeeded following consecutive failures.

(Both of these events cause alerts to be generated.)

20008

An error was encountered contacting the infrastructure operations master. (This event does not cause an alert to be generated.)

20015

(Warning) Consecutive errors were encountered in contacting the RID operations master. The error descriptions are included in the event description.

(Information) The tests against the RID operations master have succeeded following consecutive failures.

(Both of these events cause alerts to be generated.)

20016

An error was encountered in contacting the RID operations master. (This event does not cause an alert to be generated.)

20019

(Warning) Consecutive errors were encountered in contacting the schema operations master. The error descriptions are included in the event description.

(Information) The tests against the schema operations master have succeeded following consecutive failures.

(Both of these events cause alerts to be generated.)

20020

An error was encountered in contacting the schema operations master. (This event does not cause an alert to be generated.)

21000

An error was encountered during execution of the script that the script does not specifically handle. Such errors include errors that are returned by the WMI provider, errors in binding to the RootDSE, and other errors.

The error message should describe the operation that caused the error, along with the error number and, if possible, a description of the error.

20099

This event is logged to indicate that the script successfully completed running. It is only logged when the LogSuccessEvent parameter is True.

20002

This event is logged to indicate that the script was not run by an event processing rule. The script will not execute.

Rules

This script generates alerts through the processing rules in the following table.

Rule

Description

Script - AD Op Master Response

The sole purpose of this rule is to run the script every 5 minutes.

Failed to ping or bind to the Domain Naming Master FSMO role holder

This event generates a Warning alert when event 20003 with the severity level Warning from the AD Op Master Response script occurs. The alert is suppressed on the following attributes: Source Name, Event Number, Computer, and Logging Domain.

Contacting the Domain Naming FSMO Role Holder has completed successfully

This event generates a Success alert when event 20003 with the severity level None (this corresponds to a success event level) from the AD Op Master Response script occurs. The alert is suppressed on the following attributes: Alert Description, Severity, Source Name, Event Number, Computer, and Logging Domain.

Failed to ping or bind to the Infrastructure FSMO role holder

This event generates a Warning alert when event 20007 with the severity level Warning from the AD Op Master Response script occurs. The alert is suppressed on the following attributes: Source Name, Event Number, Computer, and Logging Domain.

Contacting the Infrastructure FSMO Role Holder has completed successfully

This event generates a Success alert when event 20007 with the severity level None (this corresponds to a success event level) from the AD Op Master Response script occurs. The alert is suppressed on the following attributes: Alert Description, Severity, Source Name, Event Number, Computer, and Logging Domain.

Failed to ping or bind to the Pdomain controller FSMO role holder

This event generates a Warning alert when event 20011 with the severity level Warning from the AD Op Master Response script occurs. The alert is suppressed on the following attributes: Source Name, Event Number, Computer, and Logging Domain.

Contacting the Pdomain controller FSMO Role Holder has completed successfully

This event generates a Success alert when event 20011 with the severity level None (this corresponds to a Success event level) from the AD Op Master Response script occurs. The alert is suppressed on the following attributes: Alert Description, Severity, Source Name, Event Number, Computer, and Logging Domain.

Failed to ping or bind to the RID Master FSMO role holder

This event generates a Warning alert when event 20015 with the severity level Warning from the AD Op Master Response script occurs. The alert is suppressed on the following attributes: Source Name, Event Number, Computer, and Logging Domain.

Contacting the RID FSMO Role Holder has completed successfully

This event generates a Success alert when event 20015 with the severity level None (this corresponds to a success event level) from the AD Op Master Response script occurs. The alert is suppressed on the following attributes: Alert Description, Severity, Source Name, Event Number, Computer, and Logging Domain.

Failed to ping or bind to the Schema Master FSMO role holder

This event generates a Warning alert when event 20019 with the severity level Warning from the AD Op Master Response script occurs. The alert is suppressed on the following attributes: Source Name, Event Number, Computer, and Logging Domain.

Contacting the Schema FSMO Role Holder has completed successfully

This event generates a Success alert when event 20019 with the severity level None (this corresponds to a success event level) from the AD Op Master Response script occurs. The alert is suppressed on the following attributes: Alert Description, Severity, Source Name, Event Number, Computer, and Logging Domain.

Op Master Domain Naming Last Bind - Critical Error

This rule generates a critical error alert when the average of the ActiveDirectoryMP/Op Master Domain Naming Last Bind counter over the last 5 samples exceeds 30. The alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

Op Master Domain Naming Last Bind - Error

This rule generates an error alert when the average of the ActiveDirectoryMP/Op Master Domain Naming Last Bind counter over the last 5 samples exceeds 15. The alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

Op Master Domain Naming Last Bind - Warning

This rule generates a Warning alert when the average of the ActiveDirectoryMP/Op Master Domain Naming Last Bind counter over the last 5 samples exceeds 5. The alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

Op Master Infrastructure Last Bind - Critical Error

This rule generates a Critical Error alert when the average of the ActiveDirectoryMP/Op Master Infrastructure Last Bind counter over the last 5 samples exceeds 30. The alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

Op Master Infrastructure Last Bind - Error

This rule generates an Error alert when the average of the ActiveDirectoryMP/Op Master Infrastructure Last Bind counter over the last 5 samples exceeds 15. The alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

Op Master Infrastructure Last Bind - Warning

This rule generates a Warning alert when the average of the ActiveDirectoryMP/Op Master Infrastructure Last Bind counter over the last 5 samples exceeds 5. The alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

Op Master Pdomain controller Last Bind - Critical Error

This rule generates a Critical Error alert when the average of the ActiveDirectoryMP/Op Master Pdomain controller Last Bind counter over the last 5 samples exceeds 30. The alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

Op Master Pdomain controller Last Bind - Error

This rule generates an Error alert when the average of the ActiveDirectoryMP/Op Master Pdomain controller Last Bind counter over the last 5 samples exceeds 15. The alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

Op Master Pdomain controller Last Bind - Warning

This rule generates a Warning alert when the average of the ActiveDirectoryMP/Op Master Pdomain controller Last Bind counter over the last 5 samples exceeds 5. The alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

Op Master RID Last Bind - Critical Error

This rule generates a Critical Error alert when the average of the ActiveDirectoryMP/Op Master RID Last Bind counter over the last 5 samples exceeds 30. The alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

Op Master RID Last Bind - Error

This rule generates an Error alert when the average of the ActiveDirectoryMP/Op Master RID Last Bind counter over the last 5 samples exceeds 15. The alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

Op Master RID Last Bind - Warning

This rule generates a Warning alert when the average of the ActiveDirectoryMP/Op Master RID Last Bind counter over the last 5 samples exceeds 5. The alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

Op Master Schema Last Bind - Critical Error

This rule generates a Critical Error alert when the average of the ActiveDirectoryMP/Op Master Schema Last Bind counter over the last 5 samples exceeds 30. The alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

Op Master Schema Last Bind - Error

This rule generates an Error alert when the average of the ActiveDirectoryMP/Op Master Schema Last Bind counter over the last 5 samples exceeds 15. The alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

Op Master Schema Last Bind - Warning

This rule generates a Warning alert when the average of the ActiveDirectoryMP/Op Master Schema Last Bind counter over the last 5 samples exceeds 5. The alert is suppressed on the following attributes: Alert Source, Computer, and Domain.

AD Replication Monitoring

The AD Replication Monitoring script monitors replication. Because replication can be difficult to monitor, the scripts, rules, and reports that Active Directory Management Pack provides are particularly important.

Active Directory Management Pack accomplishes the two most important goals for monitoring replication:

Detecting replication problems

Monitoring replication latency

The AD Replication Monitoring script performs the following tasks:

It updates MOMLatencyMonitor objects.

It determines whether replication is occurring.

It calculates performance data for specified computers.

It records replication performance data.

This script runs periodically, based on a scheduled rule in the Active Directory Availability processing rules group. By default, this script runs once per hour. Each task in the script runs once per n runs of the script, where n represents a configurable parameter.

By default, the script calculates performance data each time the script runs, and it tests whether replication is occurring. The MOMLatencyMonitor objects, which the script creates in directory partitions to test replication, are updated every six hours.

You must manually add the domain controllers that you want the AD Replication Monitoring script to monitor to the Active Directory Replication Latency Monitoring computer group.

Parameters

This script accepts the parameters in the following table.

Parameter Name

Description

Default Value

ObjectUpdateThreshold

The threshold beyond which the script assumes that either replication is not occurring or the script is not running on the other source domain controller.

24 (hours)

InterSiteMaxExpectedLatency

The expected maximum time taken to replicate between sites.

15 (minutes)

IntraSiteMaxExpectedLatency

The expected maximum time taken to replicate between any two computers within a site.

5 (minutes)

ChangeInjectionFrequency

Specifies how often a change is injected into the system. The change is injected into the system every nth time the script runs, where n is the value of the ChangeInjectionFrequency parameter.

Note that ChangeInjectionFrequency is affected by how often the script is run. By default, the script runs once per hour, so that the default settings cause an injection to occur once every six hours.

6

MonitorDomainNC

If this parameter is True, the domain directory partition is monitored.

True

MonitorConfigNC

If this parameter is True, the configuration directory partition is monitored.

False

MonitorApplicationPartitions

If this parameter is True, all application partitions are monitored.

False

FirstReplicationPeriod

If the initial replication after domain controller promotion does not occur within the specified number of hours, an alert is generated.

24 (hours)

LogSuccessEvent

If this parameter is True, an event is generated every time the script runs successfully, whether it does any useful work or not.

False

How the Script Works

To determine the health of Active Directory replication, this script performs both of the following tasks:

It creates or modifies its own directory objects and follows the replication of the changes it makes to determine replication latency.

It queries the replication subsystem, through the WMI replication provider, to determine, replication health.

Creating or Updating a Directory Object

This script creates or updates its own directory objects in each directory partition that is monitored. Within each directory partition being monitored, the script periodically updates specific objects that uniquely identify each domain controller that holds a replica of the directory partition.

For each directory partition being monitored, a container called MOMLatencyMonitorObjects (of the container object class) is created at the root of the partition. Each domain controller then writes its own object, which is named with the common name of the domain controller, into that container, and the domain controller is responsible for updating the adminDescription attribute of that object.

For example, for the configuration and domain directory partitions of the cohovineyard.com domain, these objects appear as follows:

Every monitored directory partition must support objects with an objectClass of container.

Note: This script must run with a permission level that is sufficient to create a container in the root of each monitored directory partition.

When this script runs, it finds its object in each of the directory partitions, and it updates the adminDescription attribute with the current date and time. The frequency of this update is determined by the ChangeInjectionFrequency script parameter. By default, this update occurs every sixth time the script runs, to limit the amount of replication traffic that the monitoring system creates. After the script updates its object, replication occurs, and the change is replicated to other domain controllers.

If the script cannot update its object, the script generates an event identifying the reason for the failure. Possible problems include insufficient permissions or simply an unexpected run-time error.

Determining Whether Replication Is Occurring

To determine whether replication is occurring, the script finds all the of the domain controllers in each MOMLatencyMonitorObjects container within each of the monitored directory partitions, and it checks the values of their adminDescription attribute.

The value of adminDescription is checked in a number of different ways. If the value is in the future, an event is generated that identifies a time skew problem. (If the clocks between two domain controllers are not synchronized, replication problems may occur that may invalidate the injection method of calculating replication latency.) If the value of adminDescription is older than the user-specified testing period that is provided in the script parameter ObjectUpdateThreshold, an event is generated to identify that the object has not been updated in this period of time.

If the domain controller being checked is in the same site as the local domain controller, and if the difference between the adminDescription attribute and the whenChanged attribute is greater than three times the user-defined intrasite threshold (which is supplied to the script through the parameter IntraSiteMaxExpectedLatency), an error is indicated, and an event detailing this error is generated. This process is similar for domain controllers in different sites, using the InterSiteMaxExpectedLatency script parameter. For details about how the difference between the adminDescription and whenChanged values is used for performance data, see “Collecting Performance Data” later in this document.

If the difference between the adminDescription and whenChanged attributes is within the applicable threshold, no events are generated. However, performance data can still be recorded.

Using data from the WMI Replication Provider, the script also checks whether the connection objects for the local domain controller are replicating correctly. If the attribute NumberOfConsecutiveFailures is greater than or equal to 2, this indicates an error condition. (Alerts are not generated when the value equals 1, to prevent the generation of alerts based on transient or one-time-only failures.) The value of this attribute and the value of the TimeOfLastSyncSuccess are reported in an event as error parameters.

Illustrating Replication Monitoring

This section provides a series of three figures to illustrate how the AD Replication Monitoring script works. In this example, three domain controllers (DC 1, DC 2, and DC 3) are being monitored. The example assumes that the script runs at :00 minutes each hour. (By default, the AD Replication Monitoring script runs once per hour, though not necessarily at :00 minutes.) For simplicity, the figures show only the time values for adminDesc and whenChanged, even though these attributes actually contain both the date and time.

In the first figure, the three domain controllers are shown at 12:00 UTC, immediately after the AD Replication Monitoring script has made its first run. As shown in the following figure, the script has created one replication monitoring object on each domain controller. In adminDesc on each object, the script writes the time that the object was created. The whenChanged attribute reflects the time that the object was last updated. Because these objects are new, the two values are equal.

During the next hour (between 12:00 UTC and 13:00 UTC), replication between the three domain controllers occurs, as illustrated in the following figure.

Figure 7: Replication occurs.

The script makes its next hourly run at 13:00 UTC. At this time, the script checks its monitoring objects, and it calculates replication latency for each replicated monitoring object on each domain controller. The script calculates replication latency by calculating the difference between the values for whenChanged and adminDesc on each object, as shown in the following figure.

Figure 8: Replication latency is calculated.

In addition, the script checks that replication is occurring on all domain controllers, by checking the age of the adminDesc value on each monitoring object. The script updates adminDesc on each monitoring object every sixth time the script runs. Therefore, an out-of-date value for adminDesc is a good indication that the source domain controller for that monitoring object is not replicating properly.

The script generates an alert if any of the following are true:

The value in adminDesc on a monitoring object is older than ObjectUpdateThreshold (which is one day by default).

Intrasite replication latency for a monitoring object is greater than three times the IntraSiteMaxExpectedLatency threshold.

Intersite replication latency for a monitoring object is greater than three times the InterSiteMaxExpectedLatency threshold.

Checking Initial Replication

This script also performs a check specifically to determine whether initial replication has completed in a timely manner. The script binds to each directory partition, and it reads the whenCreated and replUpToDateVector attributes on the directory partition object. If the replUpToDateVector attribute exists, the initial replication has succeeded, and no further action is taken. If the replUpToDateVector attribute does not exist, and if the whenCreated attribute indicates that the directory partition is older (in hours) than the value represented by the FirstReplicationPeriod script parameter, an alert is generated indicating that initial replication has not succeeded.

If a domain controller does not complete its initial replication, the domain controller will not advertise itself as a domain controller on the network. Monitoring initial replication helps ensure that domain controllers that are being created for shipment and installation in remote sites have been fully replicated — before shipment — and will therefore advertise themselves properly after being installed in the remote sites.

Collecting Performance Data

Because collecting performance data introduces a CPU load, this script does not collect performance data by default. You can enable and disable performance data collection for each domain controller separately. When performance data collection is enabled for a domain controller, latency data is collected for replication between that domain controller and every other domain controller for which performance data collection is also enabled. The collected performance data includes the minimum, maximum, and average latencies over a single day for each pair of replicating domain controllers. For example, consider a domain that includes 15 domain controllers, for which performance data collection has been enabled on 3 of those domain controllers. In this case, replication data collection only occurs when replication occurs from one to another of the 3 domain controllers on which performance data collection has been enabled.

Enabling Performance Data Collection

To enable performance data collection for a given domain controller, you must manually add that domain controller to the Active Directory Replication Latency Monitoring computer group within Microsoft Operations Manager 2000. By default, only one MOM rule applies to this group, Update Replication Latency Perf Data Collection Flag. This rule runs once per hour, and it sets the state variable ReplicationLatencyPerfDataFlag to the current date and time. This state variable is used solely by the AD Replication Monitoring script to determine whether to include a domain controller in the set of computers for which performance data is being collected.

Calculating Performance Data

When it runs, the AD Replication Monitoring script modifies the adminDescription attribute of the MOMLatencyMonitor object of each domain controller. This attribute stores the current date and time. If the ReplicationLatencyPerfDataFlag state variable has a date and time that is no older than two hours, as the script updates the adminDescription attribute, an extra flag is added indicating that the domain controller is included in the set of domain controllers for which performance data is collected.

Note: The time stamp in adminDescription is stored in a UTC locale-independent format.

In calculating the difference between adminDescription and whenChanged, if both of the replicating domain controllers belong to the Active Directory Replication Latency Monitoring computer group, and if adminDescription is determined to be valid, the data is added to the data that is stored locally on domain controller.

The data that is stored locally is used to generate daily minimum, maximum, and average values for replication latency. To this end, the data that is stored for each monitored directory partition for each domain controller includes the following:

The current date

The last time replication was calculated

The number of times that the script has calculated replication during the day

If the script determines that its last run occurred on a previous day, the script generates performance data for the minimum, maximum, and average replication latency values for the previous day. When stored, the data is generated for the counter Maximum Replication Latency:NamingContext where NamingContext is replaced by the name of the directory partition being modified. The instance of the object is the name of the domain controller with which the replication latency is being calculated.

If performance data is being collected for two domain controllers, and if both the configuration directory partition and the domain directory partition are being monitored, the performance data collected each day would appear similar to the data in the following table.

Domain Controller Name

Counter Name

Instance

DC1

Maximum Replication Latency

Average Replication Latency

Minimum Replication Latency

Maximum Replication Latency

Average Replication Latency

Minimum Replication Latency

Configuration:DC2

Configuration:DC2

Configuration:DC2

Domain:COHOVINEYARD:DC2

Domain:COHOVINEYARD:DC2

Domain:COHOVINEYARD:DC2

DC2

Maximum Replication Latency

Average Replication Latency

Minimum Replication Latency

Maximum Replication Latency

Average Replication Latency

Minimum Replication Latency

Configuration:DC1

Configuration:DC1

Configuration:DC1

Domain:COHOVINEYARD:DC1

Domain:COHOVINEYARD:DC1

Domain:COHOVINEYARD:DC1

Validating Script Parameters

The AD Replication Monitoring script validates script parameters to ensure that the ObjectUpdateThreshold parameter is more than three times the value of the InterSiteMaxExpectedLatency parameter. In addition, the script checks that the InterSiteMaxExpectedLatency parameter is greater than or equal to the IntraSiteMaxExpectedLatency parameter. If any of these checks fail, an event is generated identifying the problem, and no further script processing occurs until the error is corrected.

Events

When this script detects a failure, either by querying the WMI Replication Provider or by detecting that an expected change has not replicated through the system, the script generates an event that provides details of the failure. If multiple problems are detected, the script generates events for each type of problem.

For example, if the WMI Replication Provider identifies that replication is not occurring through a connection object, this information is added to an event. If the script detects that the adminDescription value has not been updated within a reasonable amount of time or that the adminDescription value represents some time in the future, a different event is generated.

This script generates the events in the following table.

Event Number

Purpose

20001

This event does not trigger an alert, and it is generated when an attempt is made to configure a rule, other than an event processing rule, to run a monitoring script.

20061

Indicates that the MOMLatencyMonitor object has not been updated in the last x hours, and it is triggered when the difference between a domain controller’s adminDescription value in a particular directory partition and the current time is more than ObjectUpdateThreshold hours. For any given execution of the script, each of the domain controllers in each directory partition being monitored is added to a single event.

20062

Indicates that replication occurred but that it exceeded the specified thresholds (either intrasite or intersite, as applicable).

20063

Indicates that a time skew has been detected. The value of the adminDescription attribute of one or more domain controllers is set to a time in the future, according to the local domain controller.

20066

Indicates that the sanity check has failed. One or more of the script parameters are configured in a way that the script does not support.

20067

Indicates that an access error to the monitoring objects in one of the directory partitions has occurred.

20068

Indicates that the WMI ReplProv component is not installed. This prevents the AD Replication Monitoring script from monitoring replication fully.

20069

Indicates that the initial replication following the domain controller promotion has not completed.

20083

This event does not trigger an alert, and it is generated when the script detects that a domain controller has not updated its MomLatencyMonitor object within the specified period. If this condition is detected, the script searches the directory to determine if the domain controller is still valid. If the domain controller is no longer valid, the MomLatencyMonitor object is deleted, and the event is generated.

20099

Indicates that the script successfully completed running. This event is only logged when the LogSuccessEvent parameter is True.

21000

Indicates that an unexpected run-time failure has occurred in the script.

20064, 20065

Indicate that the WMI Replication Provider has detected that some or all of the replication partners for the local domain controller failed to replicate the last time that replication was attempted.

Alerts

All of the events generated by this script that represent replication failures or replication latency problems are consolidated into a single alert with the following name: “One or more domain controllers are having problems replicating.” All other events are consolidated based on the source and event ID. In other words, all events with the same source and ID from a given domain controller are consolidated into a single alert.

AD Replication Partner Count

The AD Replication Partner Count script counts the number of replication partners for each domain controller. The script generates alerts if too many (or too few) replication partners exist for a domain controller, based on the replication topology.

This script is configured using script parameters in Microsoft Operations Manager 2000, as described in the following table.

Parameter Name

Default Value

Valid Range

What It Does

MaxGrowthPercent

0

0–100

Indicates the maximum growth (per domain controller) in the number of inbound or outbound connections that are allowed between each running of the script before an alert is generated.

ConnectionsThresholdWarning

40

1–100

Indicates the number of replication partners allowed (per domain controller) before a Warning alert is generated.

ConnectionsThresholdError

50

*–100

Indicates the number of replication partners allowed (per domain controller) before an Error alert is generated.

If ConnectionsThresholdError is not greater than or equal to ConnectionsThresholdWarning, ConnectionsThresholdError is set to the value of ConnectionsThresholdWarning.

LogSuccessEvent

False

True/False

Determines whether to log an event indicating that the script completed successfully, which can be useful for debugging purposes.

How the Script Works

This script initializes a global instance of an ADODB.Connection object (which is used to search the directory), binds to the RootDSE of the local computer; and stores the ConfigurationNamingContext and ServerName attributes. The script then binds to the local computer object using the ServerName attribute. The local computer object is used later in the script.

The script then determines the number of inbound connections to the local domain controller by binding to the CN=NTDSSettings,ServerName object, where ServerName represents the value that is read from the ServerName attribute. Because each child object within this object represents a connection object, the script counts these child objects. The number of child objects represents the number of inbound connections to this domain controller.

If no inbound connections exist, the script completes a search to determine whether multiple domain controllers exist. If multiple domain controllers exist, the script sets a flag indicating that this server has no inbound replication connections.

If multiple domain controllers exist, the script also counts the number of outbound connections for the local domain controller by counting the number of objects that are returned when searching the CN=Sites container in the configuration directory partition, with a search filter of (&(objectCategory=nTDSConnection)(from Server=CN=NTDSSettings,ServerName)), where ServerName represents the value that is read from the ServerName attribute.

Note: The script counts the outbound connections for a domain controller by counting the number of inbound connections on other domain controllers that reference the domain controller currently being monitored.

If multiple sites exist, the script also checks that the current site has an inbound connection from at least one other site. To determine whether multiple sites exist, the script performs a search on the CN=Sites container in the configuration directory partition, with a search filter of (objectCategory=siteObject). The search is of scope onelevel. The number of rows that are returned by the search represents the number of sites that exist.

When multiple sites do exist, the script constructs a search filter that includes (objectCategory=connectionObject). For each server in the local computers site, a clause is added: (fromServer<>ServerDistinguishedName), where ServerDistinguishedName represents the distinguished name of each of the domain controllers in the local computers site, including the local domain controller. This search filter is used to perform a subtree search on the CN=Sites container in the configuration directory partition. If the search returns one or more rows, at least one inbound connection to the site of the local domain controller exists.

After all these tests have been performed, the script generates the appropriate events. If multiple servers exist and either no inbound connections exist, no outbound connections exist, or there are no inbound connections to the local computers site, a replication island event is created indicating what the problem is. If there are more inbound or outbound connections than the specified threshold indicates are allowable, a Warning or Error alert (depending on which threshold is exceeded) is created.

Events

This script generates the events in the following table.

Event Number

Purpose

21000

The script encountered an error that the script does not specifically handle, including errors that are returned by the WMI provider, errors in binding to the RootDSE, and so on.

The error message describes the operation that caused the error, along with the error number and, if possible, a description of the error.

20080

Indicates that a replication topology problem exists. The event description identifies what sort of problem exists: for example, a domain controller with no connection objects or a site that is not connected to any other site.

20081

Indicates that the allowable number of replication connections has been exceeded. The event description indicates whether the number of allowed inbound or outbound connections has been exceeded.

20082

Indicates that the number of connections has grown too rapidly. The event description indicates how many new connections have been created since the script last ran.

20066

An invalid parameter was detected. The event description identifies the invalid parameters and how to correct the problem.

20002

The script was not started by an event processing rule, and therefore it will not run.

Rules

The events that are generated by this script are monitored by the processing rules in the following table.

Rule

Description

Script Based Test Failed To Complete

Generates a warning alert from any event that is created by a script with the name AD* and the ID 21000. The alert is suppressed on the following attributes: Source Name, Event Number, Computer, and Logging Domain.

A domain controller has an extremely high number of replication partners

Generates an error alert when event 20081 of the severity level Error is created by the AD Replication Partner Count script. The alert is suppressed on the following attributes: Source Name, Event Number, Computer, and Logging Domain.

A domain controller has an unusually high number of replication partners

Generates a warning alert when event 20081 of the severity level Warning is created by the AD Replication Partner Count script. The alert is suppressed on the following attributes: Source Name, Event Number, Computer, and Logging Domain.

A domain controller has received a significant number of new replication partners

Generates a Warning alert when event 20082 of the severity level Warning is created by the AD Replication Partner Count script. The alert is suppressed on the following attributes: Source Name, Event Number, Computer, and Logging Domain.

AD Replication Partner Op Master Consistency

The AD Replication Partner Op Master Consistency script determines whether domain controllers agree with one another on the identity of the domain controllers holding the operations masters roles.

Parameters

This script is configured using script parameters in Microsoft Operations Manager 2000. The following table describes the configurable parameters.

Parameter Name

Default Value

Valid Range

What It Does

LogSuccessEvent

False

True/False

Determines whether to log an event indicating that the script finished successfully, which can be useful for debugging purposes.

How the Script Works

This script creates an instance of the OOMADs COM object and calls OOMADs.GetDomainForDC, passing in the local computer name and receiving the domain name for the domain controller. The script then uses the COM object to retrieve all replication partners for the domain controller, and it determines the domain of each domain controller. If the domain of the replication partner and the domain of the local domain controller are not the same, only the identities of the schema masters and domain naming masters (as identified by the two replication partners) are compared. Otherwise, the identities of all operations masters (as identified by the two replication partners) are compared. If the replication partners identify different operations master role holders for one or more of the operations masters, the script generates an event indicating the conflicting operations master role (domain naming operations master, RID operations master, schema operations master, infrastructure operations master, and PDC emulator operations master) and the conflicting identities that are provided by the two replication partners. The OOMADs COM object is used to determine which computer holds each operations master role.

Events

This script generates the events in the following table.

Event Number

Purpose

21000

An error was encountered during the running of the script that the script does not specifically handle, including errors that are returned by the WMI provider, errors in binding to the RootDSE, and so on.

The error message describes the operation that caused the error, along with the error number and, if possible, a description of the error.

20046

Indicates that the script could not bind to the ADsPath that was returned by the COM object. The ADsPath should identify one of the replication partners of the local domain controller.

20045

The COM object returned an empty string when it was queried for one of the operations master role holders.

20041

An inconsistency exists between the domain controller that the local domain controller identifies as holding a given operations master role and the domain controller that the replication partner identifies as holding that same operations master role.

20040

This event is generated only when the script parameter LogSuccessEvent is True. The event is generated only when the local domain controller and the replication partner agree on the identity of an operations master role holder.

20034

Indicates that the OOMADs COM object returned an error while enumerating the replication partners for the local domain controller.

20002

Indicates that the script was not run by an event processing rule, and therefore it will not run.

Rules

The events generated by this script are monitored by the following rule.

Rule

Description

Script Based Test Failed to Complete

Generates a warning alert from any event 21000 that is created by a script with the name AD*. The alert is suppressed on the following attributes: Source Name, Event Number, Computer, and Logging Domain.

AD Server Moved Site

The AD Server Moved Site script determines whether the local domain controller has changed sites since the previous running of the script. It generates an information alert if the domain controller has changed sites.

Parameters

This script accepts the parameter in the following table.

Parameter Name

Default Value

Valid Range

What It Does

LogSuccessEvent

False

True/False

Determines whether to log an event indicating that the script finished successfully, which can be useful for debugging purposes.

How the Script Works

The script retrieves the SiteGUID that was stored during the previous script run. The SiteGUID identifies the Site object in the directory in which the domain controller resided. The script binds to the RootDSE of the local domain controller and retrieves the ConfigurationNamingContext attribute. This attribute is then used to perform a search in the CN=Sites container in the configuration directory partition, with a search filter of (cn=LocalComputerName), which returns the ADsPath of the local computer object. If this search succeeds, the script binds to the ADsPath that is returned, which returns the local computer object in the directory. From this object, the Parent property is used to get the ADsPath of the parent object, which is the object that represents the site in which the local domain controller resides. The script also binds to the ADsPath of the parent object to read the GUID property. This GUID is compared with the SiteGUID retrieved earlier. If these globally unique identifiers (GUIDs) are different, the script attempts to find the original site by performing a search for all the sites in the configuration directory partition, binding to each site that is returned and comparing the site’s GUID with the SiteGUID that was retrieved earlier. After the site has been found (that is, when the GUIDs match), the name of the site is stored. If none of the GUIDs match, the original site is assumed to have been deleted. An event is then created indicating that the server has moved sites. The event description identifies the current site and the previous site of the local domain controller or whether the previous site has been deleted.

If the original bind to the RootDSE fails, and if the NetLogon service is running, an event is created indicating that the bind failed and describing the reason for the failure. If the NetLogon service is not running, an event is created indicating that the bind failed because DC Locator is not running. The event also describes the error that was returned by the bind.

If LogSuccessEvent is true, when the script completes, it generates an event indicating the length of time the script took to complete.

Events

This script generates the events in the following table.

Event

Purpose

21000

An error was encountered during the running of the script that the script does not specifically handle, including errors that are returned by the WMI provider, errors in binding to the RootDSE, and so on.

The error message describes the operation that caused the error, along with the error number and, if possible, a description of the error.

22001

Indicates that the computer object could not be found in Active Directory. This event can occur if the local domain controller has been demoted but is still running ADMP.

20036

Indicates that the domain controller has changed sites. The event description indicates the original site and the current site for the domain controller.

20099

Indicates that the script completed successfully, and lists the length of time that the script took to run.

20002

Indicates that the script was not run by an event processing rule, and therefore it will not run.

Rules

The events generated by this script are monitored by the processing rules in the following table.

Rule

Description

Script - AD Server Moved Site

Causes the script to run (once per day, by default).

Script Based Test Failed to Complete

Generates a warning alert from any event 21000 that is created by a script with the name AD*. The alert is suppressed on the following attributes: Source Name, Event Number, Computer, and Logging Domain.

The server has moved between sites

Generates an informational alert when the event with ID 20036 is created by the AD Server Moved Site script. The alert is suppressed on the following attributes: Source Name, Event Number, Event Description, Computer, and Logging Domain.

Client-Side Monitoring

Simply monitoring domain controllers does not guarantee that, from the perspective of a directory client, Active Directory is healthy. For example, servers running Exchange 2000 Server that rely on Active Directory may encounter a problem connecting to or communicating with a domain controller. In this case, from the perspective of Exchange 2000 Server, Active Directory is not healthy, even though the domain controller may not have reported any Active Directory problems.

Directory clients, such as Exchange 2000 Server, that depend heavily on domain controllers may detect problems more quickly than Active Directory Management Pack, and in some cases they may detect problems that are not detected by ADMP.

In this situation, monitoring domain controller health from the perspective of one or more directory clients is very important. The client computers that are used for such monitoring can be dedicated to this task, or they can be used for other roles as well. Any client that is used for client-side monitoring should be placed physically near the computers, such as servers running Exchange 2000 Server, that depend heavily on Active Directory.

Active Directory Management Pack includes four modes of operation for client-side monitoring:

Full — All domain controllers in the domain are monitored.

Specific Site — Only domain controllers in the specified sites are monitored.

Local Site — Only domain controllers in the client’s site are monitored.

Specific — Only specified domain controllers are monitored.

These modes can be configured in the Microsoft Operations Manager 2000 console by configuring the script parameters on the Script - AD Client Update DCs processing rule, which is in the Active Directory Client Side Monitoring processing rules group.

In the Full, Specific Site, and Local Site modes, discovery of the domain controllers is performed once per day by default. If discovery is not possible, this script falls back to the existing collection of domain controllers that it has already discovered.

You can configure both a list of specific domain controllers and a list of sites to test. In this case, the individual domain controllers that you specify, and all domain controllers in each of the sites that you specify, are tested.

To configure a computer to run the Active Directory Management Pack client-side tests, you must add the computer manually to the Active Directory Client Side Monitoring computer group. Microsoft Operations Manager 2000 then downloads the tests automatically to the client. The client can be dedicated to monitoring, or it can fulfill another role, such as the role of a server running Exchange 2000 Server or the role of a domain controller.

Registry Configuration of Client-Side Monitoring Scripts

You can configure parameters for client-side monitoring scripts through the MOM console. Or, if you want to customize script parameters for a client-side monitoring computer, you can edit the registry of that computer. The configuration parameters are located in the registry at:

The test key may include a number of keys, each with the name of a different script in Microsoft Operations Manager 2000. Each of these keys may contain one or more values. The name of each value corresponds to a script parameter. Any value that is provided in any of these keys overrides the corresponding value that is set in the MOM console.

In the following example, the registry values for BindThreshold, FailureThreshold, LogSuccessEvent, and SearchThreshold that are given for the AD Client Connectivity script override the values for those same parameters that are set in the MOM console:

Active Directory Management Pack client-side monitoring includes the four scripts in the following table.

Script

Processing Rule

Frequency

AD Client Update DCs

Script - AD Client Update DCs

1 day

AD Client Connectivity

Script - AD Client Connectivity

5 minutes

AD Client Serverless Bind

Script - AD Client Serverless Bind

15 minutes

AD Client PDC response

Script - AD Client PDC Response

10 minutes

The following sections describe each of these scripts.

AD Client Update DCs

The AD Client Update DCs script runs once per day by default, and it discovers the domain controllers for a client computer performing client-side monitoring. If no domain controllers are specified in the configuration on the client, these domain controllers are stored in the DCTargets collection. If the DCTargets collection is empty, the domain controllers that are specified in the AD Client Update DCs script parameter are added to the domain controllerTargets collection. If there are sites that are specified in the configuration on the client, the domain controllers in each of the specified sites are added to the DCTargets collection. If the discovery mode is Specific Site, the domain controllers in the specified sites (as specified in the Sites parameter in the AD Client Update Domain Controllers script in Microsoft Operations Manager 2000) are added to the DCTargets collection. If the discovery mode is Local Site, the domain controllers in the local site are added to the DCTargets collection. If the discovery mode is Full and the DCTargets collection is empty, the domain controllers for the entire domain that the client is joined to are added to the domain controllerTargets collection. The test suite is run against all the domain controllers in the domain controllerTargets collection.

AD Client Connectivity

The AD Client Connectivity script runs at five-minute intervals by default to verify that the targeted domain controllers are available to clients.

Each of the test runs is based on default parameters that are stored in Microsoft Operations Manager 2000. These defaults can be overridden in the registry.

The tests that are run by the script for each tested domain controller include the following:

Internet Control Message Protocol (ICMP) ping

Net use to the SYSVOL

LDAP ping

ADSI Bind to RootDSE

Binding and searching using ADSI (and, indirectly, LDAP)

ICMP Ping

For each domain controller being tested, the script gets the IP address of the domain controller from a DNS server and performs an IMCP ping against the domain controller. If the attempt to get the IP address fails, a warning alert is generated, indicating the configured DNS servers for the client.

If the client successfully gets the IP address, but the ping fails, the script retries the ping after half a second. If the second attempt fails, a Warning alert is generated.

If the ICMP Ping test fails, the script moves on to test the next domain controller.

Net Use

For each domain controller being tested, the script attempts a net use to the SYSVOL share of the domain controller.

If the net use fails, a Warning alert is generated.

LDAP Ping

For each domain controller being tested, an LDAP ping is performed. If the ping fails, the script waits for half a second and then tries the ping again. If the second attempt fails, a Warning alert is generated for the domain controller being tested.

If the LDAP Ping test fails, the script moves on to test the next domain controller.

ADSI Bind/Search

For each domain controller being tested, the script attempts to bind to the RootDSE of the domain controller, using ADSI. If the bind fails, no search is attempted.

If the bind succeeds, the script performs a search for the domain controller (using a subtree search in the default directory partition and cn=computername as the filter), using information that is retrieved from the RootDSE object. The time necessary to perform this search is recorded as performance data. If the time necessary to perform the search is greater than the specified absolute maximum search time allowed, the script generates a Warning alert.

If either the search or the bind fails, the script generates a Warning alert.

AD Client Serverless Bind

For each domain controller being tested, a serverless bind is performed on the RootDSE object. If the domain controller resides outside the site of the client computer that is running the script, the script generates a Warning alert. If the server cannot be contacted, the script generates an Error alert.

If the bind succeeds, the script records the time taken to perform the bind. If this time exceeds the specified absolute maximum bind time allowed, the script generates a Warning alert.

AD Client PDC response

In this test, the script attempts to discover and ping the PDC emulator operations master for the domain. If the script finds the PDC emulator operations master, the script uses ADSI to perform an LDAP bind. If either the ping or the bind fails, the script generates a Warning alert.

Reporting Failures

When a failure occurs in any test that is run by a client-side monitoring script, an error is generated, with the domain controller being tested as the source of the error. This causes any alerts that are generated to be assigned to the appropriate domain controller in Microsoft Operations Manager 2000.

The information in the alerts includes the following:

The time that the failure occurred

The domain controller to which the failure relates

The client computer (identified by IP address and computer name) that detected the failure

The type of failure and, where applicable, any other relevant test results

If a test fails, a Microsoft Operations Manager 2000 alert is generated at the MOM console. The severity of the alert depends on the test and how it failed. Alerts that are generated from a single test are suppressed at the MOM console.

To prevent flooding the MOM console with alerts, the tests are carried out in such an order that if a more basic test fails, subsequent tests that rely on that basic functionality are not performed. For example, if an ICMP Ping fails, no other network-based tests are run. The only alert that is generated in such a case is for the ping failure.

Events

The client-side scripts report the events in the following table.

Event Number

Description of Event

25000

Indicates that a script finished running successfully.

25001

Indicates that an error occurred while the script was running. This does not indicate an error in the script, merely that an error was encountered, usually returned by ADSI or WMI.

25002

Indicates that the script can only be run from an event rule in MOM. This error only appears if someone manually makes this script a response to a nonevent rule.

25003

Indicates that a parameter has been incorrectly configured. The event text indicates the actual configuration error.

21001

One of the client connectivity tests failed. The event text indicates which test failed and the reason for the failure. One event is generated for each failure. This event does not generate an alert. To view these events, view the Client Side Events public view.

21002

The number of consecutive client connectivity tests has exceeded the threshold. This event generates an alert.

21003

This event is generated when the client connectivity script completes successfully, after an event 21002 has occurred.

21004

Indicates that the PDC emulator operations master could not be contacted from the client computer.

21006

Indicates that an error occurred during domain controller discovery. The affected computer (or site, or domain) is identified in the event text. Other domain controllers are not affected by this failure, and they will continue to be monitored.

These events can be viewed in the Client Side Events public view, which is located in the Client Side Monitoring public view group. For more information, see the next section, “Appendix B: Active Directory Management Pack Views.”

Appendix B: Active Directory Management Pack Views

Active Directory Management Pack provides default public views that are related to Active Directory monitoring. These predefined views offer you an immediate glimpse of the monitored application or environment.

Active Directory Management Pack Views

The following tables provide brief descriptions of the default public views that are provided with Active Directory Management Pack.

Note: To open any of these views, double-click Monitor in the MOM Administrator Console, double-click Public Views, and then double-click Active Directory.

Client-Side Monitoring

View

Description

Client Side Events

Displays all events from client-side monitoring that occurred during the specified time period.

Appendix C: Active Directory Management Pack Reports

For information about Active Directory Management Pack reports, see “Appendix A: ADMP Reports” in the “Microsoft Active Directory Management Pack Guide” on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=18045.

Appendix D: Active Directory WMI Providers

WMI provides access to information about objects in a managed environment. A WMI provider is a COM object that acts as an intermediary between WMI and a managed object. A provider can be preinstalled with a managed object, or a developer can create a custom provider to use with a unique technology.

The replprov WMI provider supports both Windows 2000 Server and Windows Server 2003, and it allows access to Active Directory replication API calls through the WMI interface. Replprov is available by default on Windows Server 2003 domain controllers, and it is also available on the Microsoft Operations Manager 2000 product CD.

Trustmon

The Trustmon WMI provider was introduced with Windows Server 2003. It is an instance provider that creates classes with information about the trust relationships between domains. For more information about the Trustmon provider, see “Trustmon Provider” on the Microsoft MDSN Web site at http://go.microsoft.com/fwlink/?LinkId=18079.

The Active Directory Management Pack COM helper object, OOMADs, is used by several ADMP monitoring scripts for making system calls that are not available in Microsoft® Visual Basic®, Scripting Edition (VBScript).

This appendix briefly describes the functions that are available in OOMADs.

Note: This section is provided for informational use only. Microsoft does not provide programming support for the use of OOMADs

OomADsInfo Object

The OomADsInfo object is the object that implements most of the OOMADs functionality. It implements IOOMADsInfo2, which inherits from IOOMADsInfo. By definition, it implements that interface as well.

IOOMADsInfo

BindLast (property - readonly)

BindLast retrieves the most recent bind time, which is set by the following methods:

BindSchemaMaster

BindPDCMaster

BindRIDMaster

BindInfrastructureMaster

BindDomainNamingMaster

GetDomainControllersEnum

GetGlobalCatalogsEnum

BindLostFoundContainer

BindObject

GetReplicationPartnersEnum

GetObjectDNByGUID

BindTotal (property — readonly)

BindTotal is the cumulative time taken for all binds that have occurred on the current instance of the OOMADs object. BindTotal is updated by the same methods as BindLast.

BindCount (property — readonly)

BindCount is the number of binds that have occurred on the current instance of the OOMADs object. BindCount is updated by the same methods as BindLast.

UserName (property — read/write)

UserName either sets or gets the user name that will be used for performing binds and search operations. This property is used in conjunction with the Password property.

Password (property — write only)

Password sets the password that will be used for performing binds and search operations. This property is used in conjunction with the UserName property.

Domain (property — read/write)

Domain sets the domain that will be used for performing binds or search operations.

LostAndFoundCount (property — read only)

LostAndFoundCount is the number of objects that are found in the Lost and Found container the last time that BindLostFoundContainer was invoked on the current instance of the OOMADs COM object.

Server (property — read/write)

Server specifies which server should be used for binding or performing search operations.

SchemaMaster (property — read only)

SchemaMaster returns the DNS name of the current schema master. The location from which the name is returned depends on the Server and Domain properties.

SchemaMasterBind (property — read only)

SchemaMasterBind returns the time taken for the last bind that is initiated by the BindSchemaMaster method. Immediately after BindSchemaMaster is called, the LastBind property and the SchemaMasterBind property are the same value.

PDCMaster (property — read only)

PDCMaster returns the DNS name of the current PDC emulator operations master. The location from which the name is returned depends on the Server and Domain properties.

PDCMasterBind (property — read only)

PDCMasterBind returns the time taken for the last bind that is initiated by the BindPDCMaster method. Immediately after BindPDCMaster is called, the LastBind property and the PDCMasterBind property are the same value.

RIDMaster (property — read only)

RIDMaster returns the DNS name of the current RID operations master. The location from which the name is returned depends on the Server and Domain properties.

RIDMasterBind (property — read only)

RIDMasterBind returns the time taken for the last bind that is initiated by the BindRIDMaster method. Immediately after BindRIDMaster is called, the LastBind property and RIDMasterBind property are the same value.

InfrastructureMaster (property — read only)

InfrastructureMaster returns the DNS name of the current infrastructure operations master. The location from which the name is returned depends on the Server and Domain properties.

InfrastructureMasterBind (property — read only)

InfrastructureMasterBind returns the time taken for the last bind that is initiated by the BindInfrastructureMaster method. Immediately after BindInfrastructureMaster is called, the LastBind property and the InfrastructureMasterBind property are the same value.

DomainNamingMaster (property — read only)

DomainNamingMaster returns the DNS name of the current domain naming operations master. The location from which the name is returned depends on the Server and Domain properties.

DomainNamingMasterBind (property — read only)

DomainNamingMasterBind returns the time taken for the last bind that is initiated by the BindDomainNamingMaster method. Immediately after BindDomainNamingMaster is called, the LastBind property and DomainNamingMasterBind property are the same value.

BindObject (method)

BindObject binds to an object and returns an IDispatch pointer to an interface on the object. The object path is specified as one of the parameters. This method also updates the LastBind, BindCount, and BindTotal properties.

BindLostFoundContainer (method)

BindLostFoundContainer binds to the Lost and Found container. It then iterates through the container and counts the number of items in that container. The count is stored internally in the object, and it is accessible through the LostAndFoundCount property.

BindDomainNamingMaster (method)

BindDomainNamingMaster binds to the domain naming master and returns TRUE if the bind is successful. It also updates the LastBind, BindCount, BindTotal, and DomainNamingMasterBind properties.

BindInfrastructureMaster (method)

BindInfrastructureMaster binds to the domain naming master and returns TRUE if the bind is successful. It also updates the LastBind, BindCount, BindTotal, and InfrastructureMasterBind properties.

BindPDCMaster (method)

BindPDCMaster binds to the domain naming master and returns TRUE if the bind is successful. It also updates the LastBind, BindCount, BindTotal, and PDCMasterBind properties.

BindRIDMaster (method)

BindRIDMaster binds to the domain naming master and returns TRUE if the bind is successful. It also updates the LastBind, BindCount, BindTotal, and RIDMasterBind properties.

BindSchemaMaster (method)

BindSchemaMaster binds to the domain naming master and returns TRUE if the bind is successful. It also updates the LastBind, BindCount, BindTotal, and SchemaMasterBind properties.

SearchGlobalCatalog (method)

SearchGlobalCatalog performs a search on a global catalog. The global catalog cannot be specified by the user. The filter for the search is passed as a parameter to this method.

GlobalCatalogSearchTime (property — readonly)

GlobalCatalogSearchTime returns the time taken to search the global catalog as determined when the SearchGlobalCatalog method is called on the current instance of the OOMADs COM object.

GetDomainControllersEnum (method)

GetDomainControllersEnum returns the IEnumADsPath interface of an OomADSPathEnum object. When it is returned, this enumerator object holds ADsPath strings to all of the domain controllers in the forest. These strings are obtained by searching the CN=Sites,… container in the configuration naming context for all objects matching the filter objectClass=server.

GetReplicationPartnersEnum (method)

GetReplicationPartnersEnum returns the IEnumADsPath interface of an OomADsPathEnum object. When it is returned, this enumerator object holds ADsPath strings to all of the replication partners that replicate to the server that is specified by the Server property. If no server has been specified, an error is generated. This method does not default to the local computer. This method does not get replication partners that replicate from the specified server.

Ping (method)

The Ping method is used to perform four ICMP pings to a computer, and it returns the average time taken for each ping. The computer is identified by either a host name or an IP address that is passed in.

ReplicationModifyObject (method)

ReplicationModifyObject updates an object in a container in the default naming context for the server that is specified by the Server property. The object is CN=Server,CN= OnePointReplicationLatency,DC=… where Server is the server name that is specified by the Server property and DC=… is the distinguished name for the default naming context. The update increments the value of the revision attribute on the object. If either the container or the object representing the server do not exist; they are created.

ReplicationLastModifyInfo (method)

ReplicationLastModifyInfo returns the revision and whenChanged attributes from the object CN=Server,CN=OnePointReplicationLatency,DC=… where Server is the server name that is specified by the Server property and DC=… is the distinguished name for the default naming context.

ReplicationCheckDomainController (method)

ReplicationCheckDomainController returns the revision and whenChanged attributes from the object representing a server, which is specified by the Server property, on a domain controller that is specified by a parameter to the method.

GetDatabaseInfo (method)

GetDatabaseInfo retrieves information about the database location (the location of the Active Directory DIT), the database size, and the amount of free space on the drive that the database resides on, and it returns that information to the caller.

LastError (method)

LastError returns a string representation of the last error that occurred during a method call on the object. It may be reset to success by a successful method call.

PingDomainNamingMaster (method)

PingDomainNamingMaster pings the current domain naming operations master. The location from which the ping originates depends on the Server and Domain properties. It also records the amount of time taken to perform the ping.

DomainNamingMasterPing (property)

DomainNamingMasterPing retrieves the time taken to ping the domain naming operations master during the last PingDomainNamingMaster method call.

PDCMasterPing (property)

PDCMasterPing retrieves the time taken to ping the PDC emulator operations master during the last PingPDCMaster method call.

RIDMasterPing (property)

RIDMasterPing retrieves the time taken to ping the RID operations master during the last PingRIDMaster method call.

SchemaMasterPing (property)

SchemaMasterPing retrieves the time taken to ping the schema operations master during the last PingSchemaMaster method call.

InfrastructureMasterPing (property)

InfrastructureMasterPing retrieves the time taken to ping the infrastructure operations master during the last PingInfrastructureMaster method call.

PingInfrastructureMaster (method)

PingInfrastructureMaster pings the current infrastructure operations master. The location from which the ping originates depends on the Server and Domain properties. It also records the amount of time taken to perform the ping.

PingSchemaMaster (method)

PingSchemaMaster pings the current schema operations master. The location from which the ping originates depends on the Server and Domain properties). It also records the amount of time taken to perform the ping.

PingPDCMaster (method)

PingPDCMaster pings the current PDC emulator operations master. The location from which the ping originates depends on the Server and Domain properties. It also records the amount of time taken to perform the ping.

PingRIDMaster (method)

PingRIDMaster pings the current RID operations master. The location from which the ping originates depends on the Server and Domain properties). It also records the amount of time taken to perform the ping.

GetLogFileInfo (method)

GetLogFileInfo retrieves information about the database log file location (the location of the log file for the Active Directory DIT), the file size, and the amount of free space on the drive that the log file resides on, and it returns that information to the caller.

GetIPAddress (method)

GetIPAddress returns the IP address of a computer whose name is passed in as a parameter to the method.

GetObjectDNByGUID (method)

GetObjectDNByGUID returns the distinguished name of an object whose GUID is passed in as a parameter to the method. The GUID is passed as a string in the form XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.

NextGlobalCatalog returns the DNS name of the next global catalog from the internal collection of global catalogs.

GetGlobalCatalogsEnum (method)

GetGlobalCatalogsEnum returns the IEnumADsPath interface of an OomADSPathEnum object. When it is returned, this enumerator object holds ADsPath strings to all of the global catalogs in the forest. These strings are obtained by searching the CN=Sites container in the configuration naming context for all objects matching the filter (&(objectCategory=ntdsDsa)(options:1.2.840.113556.1.4.803:=1) and by getting the parent of each object that is returned.

GetDomainForDC (method)

GetDomainForDC returns the domain name for the domain controller name that is passed in as a parameter to the method.

IOomADSInfo2

IsDCInClosestSite (method)

IsDCInClosestSite determines whether the domain controller whose name is passed in as a parameter is in the closest site to the local computer.

LDAPPing (method)

LDAPPing performs a User Datagram Protocol (UDP) search of a specific domain controller, similar to the search that is performed by the DC Locator. The method returns the time taken to perform the search.

GetFlatNameForDC (method)

GetFlatNameForDC returns the flat domain name for the domain that the domain controller is in. The domain controller is specified by a parameter.

Sleep (method)

Sleep pauses for a given number of milliseconds. The number of milliseconds is specified as a parameter.

GetDCsForSite (method)

GetDCsForSite returns a list of all the domain controllers in a specified site. The site is passed in as a parameter.

GetDCsForDomain (method)

GetDCsForDomain returns a list of all the domain controllers in a specified domain. The domain is passed in as a parameter.

InterfaceSupportsErrorInfo indicates that the object supports error information only for IOOMADsInfo.

OomADSPathEnum Object

OomADSPathEnum holds collections of ADsPaths.

IEnumADsPath

IEnumADsPath is exclusively implemented by the OomADSPathEnum object. IEnumADsPath is an enumerator interface; that is, it enumerates the collection that is stored in the OomADSPathEnum object. Each enumerator interface that deals with a different data type must be redefined, but the interface has to support specific methods so that standard consumers can enumerate the collection in a generic way.

Next (method)

Next iterates over the next celt items, starting at the item that the internal iterator is pointing to. Next copies each item into the array that is passed in to hold the data.

Reset (method)

Reset sets the internal iterator back to the start of the list.

Skip (method)

Skip moves the iterator down the list by the specified number of items. If the iterator hits the end of the list, it stops and returns S_FALSE; otherwise, S_OK is returned.

Clone (method)

Clone returns E_NOTIMPL. This method is not implemented.

IOomADSPathEnum (method)

IOomADSPathEnum holds the methods that are used to add items to the collection that is stored in the OomADsPathEnum object.

Note: This method is a standard COM interface, but there is no reason for it to be. It could just be a public method on the class that is used internally from within OomADsInfo.

AddPath (method)

AddPath inserts the passed-in ADsPath string into the end of the internal list. It does not update the iterator.